Thycotic’s Cyber Security Publication

How to meet FISMA Compliance in 9 Steps

November 16th, 2016

Who must meet FISMA compliance, and how do you do it?

To protect classified data and mission-critical government systems from cyber attack, the Federal Information Security Management Act (FISMA) mandates that federal agencies (as well as contractors that wish to do business with the federal government) develop, document, and implement a cyber security program.

If you work in security for the federal government or have any dealings with computer systems for any government agency, you know there are policies in place to generally protect systems—PoS (point of sale) systems, web servers, mail servers, or servers housing top secret data—across the board.

But any organization that maintains a computer network is vulnerable to outside attacks. Criminal hackers are automatically pinging addresses (including your home router) looking for cracks they can sneak through. It’s bad enough when the attack is on your personal data. Now, apply that to the federal government, the FBI, IRS, DoD, etc. When something is stolen from a government agency and leaked it can be devastating. This data here obviously needs exceptional protection. And this is where FISMA compliance comes in.

FISMA: Federal Information Security Management Act

FISMA is the high-level compliance driver for the federal government. It is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA assigns responsibilities to various agencies to ensure the security of data in the federal government. The act requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely, and efficient manner.

1. Categorize the information to be protected.
2. Select minimum baseline controls.
3. Refine controls using a risk assessment procedure.
4. Document the controls in the system security plan.
5. Implement security controls in appropriate information systems.
6. Assess the effectiveness of the security controls once they have been implemented.
7. Determine agency-level risk to the mission or business case.
8. Authorize the information system for processing.
9. Monitor the security controls on a continuous basis.
(http://searchsecurity.techtarget.com/definition/Federal-Information-Security-Management-Act)

We protect valuable computer assets from a hacker when they compromise the perimeter, because there is a high probability they will.

What do you need to protect? Most data and other security assets can only be accessed using a privileged account, so it makes sense to start there. We recommend protecting privileged access across the enterprise and lock down Windows endpoints to prevent a hacker’s ability to get access to privileged accounts. Note that it does not necessarily prevent hackers from getting in, but we protect valuable computer assets from a hacker when they compromise the perimeter, because there is a high probability they will. It’s not a question of if, it’s a question of when, and how many times. And we’re not just talking about external hackers and threats. We’re talking about internal threats as well.

The Thycotic approach

To simplify our approach at Thycotic, this is what we do:

1. Discover accounts on computer assets (workstations, server, switches, routers, *NIX systems)
2. Identify (on Windows systems) which of those accounts have administrative rights. These are the accounts you need to control access to because this is what hackers are looking to compromise.
3. Remove administrative rights from day-to-day users. Keep all ‘regular’ users in STANDARD USER CONTEXT. (You might be interested in this: How to Remove Admin Rights Without Reducing Productivity.)
4. Control access to those administrative accounts that remain.
5. Discover what applications require administrative rights – if you don’t know already.
6. Apply application controls around all processes/programs/executables/installers run by both end users and administrative users.
a. Including the ability to protect systems from the unknown by applying real-time application analysis to protect against zero-day attacks ransomware and other malicious software.

With this approach, you can keep the bad guys away from your data, and keep them (or anyone else using an email attachment, or a browser session, etc.) from running bad things on your computers – workstations or servers, real or virtual.

If you can do all of this, and provide a centralized place to manage all of it – AND provide (in that same centralized location) the ability to create nice audit reports around all of this security management, you are well on your way in meeting compliance. Compliance is not only FISMA, but for other standards as well.

FISMA Compliance is largely about common sense. Once you read all the small print included in the standards you need to follow, it really boils down to this:

• Control access to data and resources
• Provide backup and recovery mechanisms for your data
• Get everyone on board to use the controls you put in place to protect your data
• Make sure you can prove your controls are working

Here at Thycotic, we can get you well on your way in putting compliance practices in place no matter the standards that govern you and your organization.

If FISMA compliance is important to you, try our free tool to uncover accounts on your Windows system that may be unmanaged and vulnerable:

Ed Breay

Ed Breay is the Director of Sales Engineering for Thycotic with over 20 years in the Identity Management space and a degree in Electrical Engineering from The University of Colorado. He is a subject matter expert in Privilege Management for Windows and enjoys sharing his security experiences to all levels of the Information Security community. When he’s not talking tech, you’ll find Ed traveling and spending time in the great Rocky Mountain outdoors.